Skip to content

Commit

Permalink
8168261: Use server cipher suites preference by default
Browse files Browse the repository at this point in the history
Backport-of: 2eb8492
  • Loading branch information
GoeLin committed Jul 4, 2023
1 parent e5d6793 commit 003bdbb
Show file tree
Hide file tree
Showing 3 changed files with 122 additions and 3 deletions.
3 changes: 1 addition & 2 deletions src/java.base/share/classes/javax/net/ssl/SSLContextSpi.java
Original file line number Diff line number Diff line change
Expand Up @@ -210,10 +210,9 @@ protected SSLParameters engineGetDefaultSSLParameters() {
*/
protected SSLParameters engineGetSupportedSSLParameters() {
SSLSocket socket = getDefaultSocket();
SSLParameters params = new SSLParameters();
SSLParameters params = socket.getSSLParameters();
params.setCipherSuites(socket.getSupportedCipherSuites());
params.setProtocols(socket.getSupportedProtocols());
return params;
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ final class SSLConfiguration implements Cloneable {
this.identificationProtocol = null;
this.serverNames = Collections.<SNIServerName>emptyList();
this.sniMatchers = Collections.<SNIMatcher>emptyList();
this.preferLocalCipherSuites = false;
this.preferLocalCipherSuites = true;

this.applicationProtocols = new String[0];
this.enableRetransmissions = sslContext.isDTLS();
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
/*
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.

/*
* @test
* @bug 8168261
* @summary Use server cipher suites preference by default
* @run main/othervm DefaultCipherSuitePreference
*/

import javax.net.SocketFactory;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;

public class DefaultCipherSuitePreference {
private static final String[] contextAlgorithms = {
"Default", "SSL", "TLS", "SSLv3", "TLSv1",
"TLSv1.1", "TLSv1.2", "TLSv1.3"
};

public static void main(String[] args) throws Exception {
for (String algorithm : contextAlgorithms) {
System.out.println("Checking SSLContext of " + algorithm);
SSLContext sslContext = SSLContext.getInstance(algorithm);

// Default SSLContext is initialized automatically.
if (!algorithm.equals("Default")) {
// Use default TK, KM and random.
sslContext.init((KeyManager[])null, (TrustManager[])null, null);
}

//
// Check SSLContext
//
// Check default SSLParameters of SSLContext
checkDefaultCipherSuitePreference(
sslContext.getDefaultSSLParameters(),
"SSLContext.getDefaultSSLParameters()");

// Check supported SSLParameters of SSLContext
checkDefaultCipherSuitePreference(
sslContext.getSupportedSSLParameters(),
"SSLContext.getSupportedSSLParameters()");

//
// Check SSLEngine
//
// Check SSLParameters of SSLEngine
SSLEngine engine = sslContext.createSSLEngine();
engine.setUseClientMode(true);
checkDefaultCipherSuitePreference(
engine.getSSLParameters(),
"client mode SSLEngine.getSSLParameters()");

engine.setUseClientMode(false);
checkDefaultCipherSuitePreference(
engine.getSSLParameters(),
"server mode SSLEngine.getSSLParameters()");

//
// Check SSLSocket
//
// Check SSLParameters of SSLSocket
SocketFactory fac = sslContext.getSocketFactory();
SSLSocket socket = (SSLSocket)fac.createSocket();
checkDefaultCipherSuitePreference(
socket.getSSLParameters(),
"SSLSocket.getSSLParameters()");

//
// Check SSLServerSocket
//
// Check SSLParameters of SSLServerSocket
SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
SSLServerSocket ssocket = (SSLServerSocket)sf.createServerSocket();
checkDefaultCipherSuitePreference(
ssocket.getSSLParameters(),
"SSLServerSocket.getSSLParameters()");
}
}

private static void checkDefaultCipherSuitePreference(
SSLParameters parameters, String context) throws Exception {
if (!parameters.getUseCipherSuitesOrder()) {
throw new Exception(
"The local cipher suite preference is not honored " +
"in the connection populated SSLParameters object (" +
context + ")");
}
}
}

1 comment on commit 003bdbb

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.